US20200169577A1 - Method and apparatus for generating virtual malicious traffic template for terminal group including device infected with malicious code - Google Patents
Method and apparatus for generating virtual malicious traffic template for terminal group including device infected with malicious code Download PDFInfo
- Publication number
- US20200169577A1 US20200169577A1 US16/517,500 US201916517500A US2020169577A1 US 20200169577 A1 US20200169577 A1 US 20200169577A1 US 201916517500 A US201916517500 A US 201916517500A US 2020169577 A1 US2020169577 A1 US 2020169577A1
- Authority
- US
- United States
- Prior art keywords
- traffic
- malicious
- template
- terminal group
- generating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Definitions
- the present disclosure relates to a method of generating a virtual malicious traffic template for a terminal group, and more particularly, to a method of generating virtual malicious traffic that may occur in a terminal group including a device actually infected with malicious code by using traffic data generated by the device.
- IoT Internet of things
- various devices are connected by a network to form one terminal group. Since smart devices included in the terminal group are connected by a wired/wireless network, if one device is infected with malicious code, the malicious code can be rapidly transmitted to the entire terminal group. Therefore, there is a need for a rapid and accurate technology that can detect malicious code infection within the terminal group. Accordingly, various machine learning algorithms are being developed to detect malicious code infection using traffic data generated in a network.
- a system for monitoring an IoT terminal group by utilizing machine learning technology using an anomaly detection model that performs unsupervised learning or an intrusion detection model that performs supervised learning is being actively developed.
- machine learning using an unrefined data model is very economically inefficient due to an unnecessary waste of resources, and an algorithm trained using the undefined data model has low accuracy. Therefore, it is required to provide a technology that generates an optimal learning model for a terminal group infected with malicious code.
- aspects of the present disclosure provide a method and apparatus for generating a virtual malicious traffic template for a terminal group in a normal state and including a device infected with malicious code by using previously generated traffic information of the device.
- aspects of the present disclosure also provide a method and apparatus for generating a virtual malicious traffic template for a terminal group including a device not infected with malicious code by using traffic information generated by the device in a normal state.
- aspects of the present disclosure also provide a method and apparatus for generating an optimal learning model, which can be used for machine learning used in a malicious code monitoring system of a terminal group, by using a malicious traffic template for the terminal group.
- a method of generating malicious traffic the method being performed by a computing apparatus and comprising obtaining traffic data transmitted from a first device infected with first malicious code or received by the first device, generating a traffic template of the first device by analyzing the traffic data, and generating a malicious traffic template of a terminal group, wherein the malicious traffic template of the terminal group comprises the traffic template of the first device.
- a method of generating malicious traffic the method being performed by a computing apparatus and comprising obtaining normal traffic data related to a terminal group which comprises a first device not infected with malicious code, generating a virtual malicious traffic template of the first device infected with malicious code by using the normal traffic data of the first device and behavior analysis information of first malicious code and generating a malicious traffic template of the terminal group, wherein the malicious traffic template of the terminal group comprises the malicious traffic template related to the first device infected with the malicious code.
- a computing apparatus comprising a memory into which a malicious traffic generation program is loaded and a processor which executes the malicious traffic generation program loaded into the memory, wherein the malicious traffic generation program comprises an instruction for obtaining traffic data transmitted from a first device infected with first malicious code or received by the first device; an instruction for generating a traffic template of the first device by analyzing the traffic data and an instruction for generating a malicious traffic template of a terminal group, wherein the malicious traffic template of the terminal group comprises the traffic template of the first device.
- FIG. 1 is a diagram for explaining the configuration and operation of a system for generating a malicious traffic template according to an embodiment
- FIG. 2 is a flowchart illustrating a method of generating a malicious traffic template according to an embodiment
- FIG. 3 illustrates examples of normal traffic data of a terminal group not infected with malicious code according to an embodiment
- FIG. 4 is a diagram for explaining a method of generating a malicious traffic template by inserting a behavior pattern of malicious code into normal traffic data of a terminal group according to an embodiment
- FIG. 5 is a diagram for explaining a method of generating a virtual malicious traffic template using traffic data of a terminal group infected with malicious code according to an embodiment
- FIG. 6 is a diagram for explaining a method of generating a virtual malicious traffic template using normal traffic data of a terminal group, a malicious code behavior pattern, and traffic data of a terminal group infected with malicious code according to an embodiment
- FIG. 7 illustrates examples of a device whose malicious traffic template is to be generated for each function of the device according to an embodiment
- FIG. 8 illustrates an example traffic template for each function of an AI speaker in order to explain a malicious traffic template for each function of a device according to an embodiment
- FIG. 9 is a diagram for explaining a method of inserting a behavior pattern of malicious code into a traffic template for each function of a device according to an embodiment
- FIG. 10 illustrates a terminal group and device usage information of a user which are used to generate a malicious traffic template for each user of the terminal group according to an embodiment
- FIG. 11 illustrates an example traffic template for each user of an AP speaker in order to explain a malicious traffic template for each user of a device according to an embodiment
- FIG. 12 is a diagram for explaining a method of inserting a behavior pattern of malicious code into a traffic template for each user of a device according to an embodiment
- FIG. 13 illustrates examples of a terminal group whose malicious traffic template is to be generated according to an embodiment
- FIG. 14 is a diagram for explaining a method of generating a network packet to generate malicious traffic according to an embodiment
- FIG. 15 illustrates an example database of terminal group information according to an embodiment
- FIG. 16 illustrates an example database of user information of each terminal group according to an embodiment
- FIG. 17 illustrates an example database of device usage patterns of each user type according to an embodiment
- FIG. 18 illustrates an example database of device type information according to an embodiment
- FIG. 19 illustrates an example database of device function information according to an embodiment
- FIG. 20 illustrates an example database of traffic pattern information for each device function of a terminal group according to an embodiment
- FIG. 21 illustrates network packets used to generate malicious traffic data of a terminal group according to an embodiment
- FIG. 22 illustrates the hardware configuration of an apparatus for generating a malicious traffic template of a terminal group according to an embodiment.
- a terminal group may denote a set of devices connected directly/indirectly to one network.
- the terminal group may be a set of devices whose Internet protocol (IP) addresses use the same network address but have different host addresses or may be a group of devices connected to one access point (AP) in an Internet of things (IoT) environment.
- IP Internet protocol
- AP access point
- IoT Internet of things
- a malicious traffic generation apparatus 100 may generate malicious traffic templates for a plurality of terminal groups 10 and 20 by using traffic data generated by the terminal groups 10 and 20 and collected through a network.
- a first terminal group 10 may include a plurality of devices 11 and 12 , and a plurality of users 13 , 14 and 15 may use at least one of the devices 11 and 12 of the first terminal group 10 .
- a second terminal group 20 may include a plurality of devices 21 and 22 , and a plurality of users 23 , 24 and 25 may use at least one of the devices 21 and 22 of the second terminal group 20 .
- the malicious traffic generation apparatus 100 may collect traffic data received by the devices 11 , 12 , 21 and 22 of the terminal groups 10 and 20 or traffic data transmitted from the devices 11 , 12 , 21 and 22 . In addition, the malicious traffic generation apparatus 100 may generate templates for virtual malicious traffic that can occur in the terminal groups 10 and 20 by using the collected traffic data.
- a malicious traffic template may be generated for each malicious code.
- a malicious traffic template may be generated for each type of user 13 , 14 or 15 of the first device 11 infected with the first malicious code
- a malicious traffic template may be generated for each function of the first device 11 infected with the first malicious code
- a malicious traffic template may be generated for the entire first terminal group 10 including the first device 11 infected with the first malicious code.
- the malicious traffic generation apparatus 100 may also collect normal traffic data of the devices 11 , 12 , 21 and 22 not infected with malicious code.
- a malicious traffic template may be generated by inserting behavior information of specific malicious code to the collected normal traffic data. This will be described in detail later with reference to FIGS. 3 and 4 .
- a method of generating malicious traffic of a terminal group according to an embodiment will now be described with reference to FIG. 2 .
- a terminal group whose malicious traffic template is to be generated may be selected.
- the selected terminal group is a group of devices connected through a network as described above.
- Terminal groups may be connected through a network, in which case IP addresses of a plurality of devices within a terminal group may be structured to have, for example, one or more identical network addresses and different host addresses among a plurality of classes of IP addresses.
- IP addresses used in a terminal group that generally uses one AP. Therefore, the terminal group selected in operation S 100 may be, for example, one of a plurality of households existing in a specific area or one of a plurality of companies existing in one building.
- operation S 200 it may be identified whether the devices in the terminal group are infected with malicious code.
- a method of generating a malicious traffic template of the terminal group which will be described below may vary depending on whether the devices are infected with malicious code.
- normal traffic data may be obtained from the devices in a normal state.
- the traffic data may be collected using, e.g., TCPDUMP.
- behavior information of malicious code may be inserted into the normal traffic data obtained in operation S 300 .
- the behavior information of the malicious code includes information about data generated when a device is infected with the malicious code.
- the behavior information of the malicious code may include a pattern of malicious code behavior that occurs in a device infected with the malicious code. This will be described in detail with reference to FIG. 4 .
- a malicious traffic template may be generated for each malicious code in operation S 500 by collecting traffic data generated by the device.
- the traffic template may be generated for each function of the device, for each user of the device, and for each terminal group including the device. This will be described in detail later with reference to FIGS. 7 through 13 .
- traffic data received by the device infected with the malicious code may be collected.
- the malicious code may perform an attack of blocking all access to the device. Since a problem occurring due to the malicious code that performs the inbound attack is caused by network data coming from the outside to the device, the computation of a computing apparatus can be minimized by collecting the traffic data received by the device.
- traffic data transmitted from the device infected with the malicious code may be collected.
- the malicious code may perform an attack of allowing all access attempted by the device. Since a problem occurring due to the malicious code that performs the outbound attack is caused by network data going out from the device to the outside, the computation of the computing apparatus can be minimized by collecting the traffic data transmitted from the device.
- a virtual malicious traffic template may be generated for the terminal group by using the malicious traffic templates generated in operations S 400 and S 500 .
- a malicious traffic template may be generated using the normal traffic data and the malicious code behavior patterns generated in operation S 400
- a malicious traffic template may be generated using the malicious traffic template generated in operation S 500 and noise traffic
- one malicious traffic template may also be generated using the malicious traffic templates generated in operations S 400 and S 500 .
- a malicious traffic template generated based on a device infected with malicious code can be used in a machine learning algorithm that performs supervised learning.
- a method of generating a malicious traffic template of a device not infected with malicious code by using normal traffic data obtained from the device will now be described with reference to FIGS. 3 and 4 .
- the traffic data 310 generated by a first terminal group may be composed of traffic 313 received by the AI speaker 203 or transmitted from the AI speaker 203 , traffic 312 received by the smart camera 202 or transmitted from the smart camera 202 , and traffic 311 received by the smart TV 201 or transmitted from the smart TV 201 .
- the traffic data 320 generated by a second terminal group may be composed of traffic 323 obtained from the AI speaker 203 , traffic 322 obtained from the smart camera 202 , and traffic 321 obtained from the smart TV 201 .
- the traffic 321 , 322 and 323 may be different from the traffic 311 , 312 and 313 existing in the traffic data 310 generated by the first terminal group in terms of information such as traffic generation time, frequency, etc.
- Traffic of normal traffic data 330 of a device may be replaced with malicious code behavior patterns 410 and 420 , or traffic having the malicious code behavior patterns 410 and 420 may be inserted into the normal traffic data 330 .
- embodiments are not limited to this case, and it should be noted that various patterns of traffic can be generated by adding noise traffic between the malicious code behavior patterns 410 and 420 or replacing the malicious code behavior patterns 410 and 420 with the noise traffic.
- the malicious code behavior patterns 410 and 420 may be extracted from a malicious code behavior pattern 400 of each known malicious code according to an embodiment.
- the malicious code behavior patterns 410 and 420 may include a pattern in which a Mirai botnet, one kind of distributed denial of service attack (DDoS) malicious code, generates traffic by combining character strings and a pattern in which a Leet botnet generates traffic by accessing a local file of a device to damage content and then mixing the content.
- DDoS distributed denial of service attack
- a malicious traffic template 500 generated for a terminal group may include one or more of malicious code behavior patterns 507 and 508 , normal traffic, and noise traffic 509 .
- the random noise traffic 509 is traffic irrelevant to the malicious code behavior patterns 410 and 420 and may be inserted into the malicious traffic template 500 in various forms to generate various forms of malicious traffic templates 500 . Since various forms of malicious traffic templates 500 are generated, the number of data models to be used in the learning of a machine learning algorithm used by a monitoring system for determining whether a terminal group is infected with malicious code may be increased, thereby increasing the accuracy of the machine learning algorithm.
- a method of generating a terminal group's malicious traffic template 510 including malicious traffic templates 501 and 502 generated using traffic data obtained from a device infected with malicious code according to an embodiment will now be described with reference to FIG. 5 .
- a method of generating the malicious traffic templates 501 and 502 related to the device infected with the malicious code by using the traffic data obtained from the device will be described later with reference to FIGS. 7 through 13 .
- Traffic of a terminal group's malicious traffic template 510 including malicious traffic templates related to the above specific device may include an IP address of a control & command (C&C) server of malicious code. Since the C&C server is a server that transmits a control command for controlling malicious code to perform a desired attack, a malicious traffic template of a terminal group infected with malicious code can be generated by inserting the IP address of the C&C server into traffic of the malicious traffic template. For example, if traffic is in the form of ‘TIME, SRC_IP, SRC_PORT, DST_IP, DST_PORT, PROTOCOL, BYTES+ . . .
- the IP address of the C&C server may be inserted into the ‘SRC_IP’ field indicating an IP address from which the traffic was transmitted.
- any one of ‘101.101.101.101’ and ‘201.201.201.201’ which are IP addresses 512 and 513 of the C&C server may be inserted into the place of ‘SRC_IP’ in traffic 511 of the malicious traffic template 510 .
- a machine learning algorithm that learns this malicious traffic template as a model may detect traffic, which includes a packet containing the IP address of the C&C server, as malicious traffic.
- a malicious traffic template 520 of a terminal group may be generated using a malicious traffic template 500 generated by inserting malicious code patterns 507 and 508 into normal traffic of a device as described above and traffic templates 501 and 502 generated by analyzing traffic data of a device infected with malicious code.
- a terminal group's malicious traffic template 520 generated using the above method may include at least one of malicious code patterns 521 and 522 , a malicious traffic template 523 of a device, and random noise traffic 524 irrelevant to malicious code.
- One or more of the malicious code patterns 521 and 522 , the malicious traffic template 523 of the device, and the random noise traffic 524 can be replaced with traffic included in a normal traffic template of the terminal group or may be added to the traffic.
- a method of generating malicious traffic templates of a device will now be described with reference to FIGS. 7 through 13 .
- FIG. 7 illustrates information about functions of each device. Since a malicious traffic template of a device according to an embodiment can be generated for each function of the device, example functions of each device will be described with reference to the table of FIG. 7 .
- An AI speaker of FIG. 7 may include any one or more of a weather check function, a news check function, a traffic information check function, and a music playback function as its individual functions.
- a smart TV may include a video application execution function as its individual function.
- a smart refrigerator may include an Internet search function as its individual function.
- a smart air conditioner may include at least one of an air information provision function and a function of operating the air conditioner from the outside as its individual function.
- a home camera may include a function of providing a video of an object moving in a space as its individual function
- a smart scale may include a weight display function as its individual function.
- Any one or more of the AP speaker, the smart TV, the smart refrigerator, the smart air conditioner, the home camera, and the smart scale may include at least one of an Internet connection check function and a firmware software update check function as a common function.
- a malicious traffic template of a device may be generated for each individual function of the device and for each common function. Since a different function is used in the device for each malicious code, if malicious traffic templates are generated according to various functions of the device, it is possible to generate virtual malicious traffic that is similar to traffic generated by a device actually infected with malicious code.
- the AI speaker 600 may include at least one of, for example, a weather forecast function, a music search/playback function, and a voice search function.
- a traffic template 530 of the AI speaker 600 may include traffic data related to functions used by the AI speaker 600 as time elapses.
- a traffic template for each function of the AI speaker 600 may be generated to be similar to traffic data of an AI speaker in the normal state or traffic data of an AI speaker infected with malicious code. If the traffic template is generated to be similar to the traffic data of the AI speaker in the normal state, a process of generating a malicious traffic template related to the AI speaker 600 includes a process of inserting a malicious code behavior pattern into a traffic template generated in FIG. 9 . On the other hand, if the traffic template is generated to be similar to the traffic data of the AI speaker infected with the malicious code, the process of generating the malicious traffic template related to the AI speaker 600 may optionally include the malicious code behavior pattern insertion process of FIG. 9 .
- the malicious traffic template 530 of the AI speaker 600 of FIG. 8 may include at least one of traffic data 531 generated by the use of the weather forecast function of the AI speaker 600 from 00:00 to 24:00, traffic data 532 generated by the use of the music search/playback function, and traffic data 533 generated by the use of the voice search function. Since the traffic template of the AI speaker 600 is generated for each function, it is possible to precisely generate virtual malicious traffic data that is similar to the traffic data of the AI speaker infected with the malicious code as described above.
- a method of generating a malicious traffic template for each function of an AI speaker will be described in detail with reference to FIG. 9 .
- a malicious traffic template 540 for each function of the AI speaker 600 may be generated by further using a malicious behavior pattern 400 of malicious code.
- the malicious behavior pattern 400 of the malicious code may include information about a function used in the AI speaker 600 for each malicious code and patterns 410 and 420 in which the function is used.
- the traffic template 530 for each function of the AI speaker 600 may be generated to include at least one of, for example, traffic data 531 related to the weather forecast function, traffic data 532 related to the music search/playback function, and traffic data 533 related to the voice search function.
- the virtual malicious traffic template 540 of the AI speaker 600 may be generated such that the traffic data 541 related to the weather forecast function includes the malicious code behavior pattern 410 , and the traffic data 542 related to the music search/playback function includes the malicious code behavior pattern 420 .
- a method of generating a malicious traffic template for each user of a device will be described with reference to FIGS. 10 through 12 .
- a malicious traffic template of a device according to an embodiment may be generated for each user of the device.
- a malicious traffic template of a terminal group including the device may be generated for each user of the terminal group. Since a pattern of using a specific device in the terminal group is different for each malicious code, virtual malicious traffic similar to traffic generated by a device actually infected with malicious code may be generated according to the current embodiment.
- Example traffic data related to usage patterns of user A and user B of a specific terminal group will be described with reference to FIG. 10 .
- User A and user B of a terminal group including an AI speaker, a home camera, a smart air conditioner, a smart refrigerator and a smart TV may be users of one terminal group or may be users of different terminal groups composed of the same devices.
- traffic data of the terminal group may be generated differently according to weekday usage patterns and weekend usage patterns of the above users.
- traffic data of user A using the terminal group on weekdays may include traffic data generated by the terminal group for each of the time of waking up and getting ready for work, the working time, the time of returning home, and the sleeping time.
- traffic data of user A using the terminal group on weekends may include traffic data generated during the time of going out, the time of returning home, the sleeping time, and other times.
- Traffic data of the terminal group related to user B may also be generated for the weekdays and weekends.
- the device usage pattern of user B may be different from that of user A.
- traffic data is generated.
- no traffic data is generated during the weekday working time of user B. Therefore, if traffic data of the terminal group is generated during the weekday working time of user B, it can be suspected as malicious traffic data. Since traffic data of the terminal group is generated differently for each user in the current embodiment, a precise virtual malicious traffic template can be generated.
- Example traffic data generated differently for each user of an AI speaker will be described with reference to FIG. 11 .
- Different traffic data may be generated for each of users using even the same device, e.g., an AI speaker. This is because each user uses a device in a different pattern as described above.
- a traffic template for each user of the AI speaker may be generated to be similar to traffic data of an AI speaker in the normal state or traffic data of an AI speaker infected with malicious code. If the traffic template is generated to be similar to the traffic data of the AI speaker in the normal state, a process of generating a malicious traffic template related to the AI speaker includes a process of inserting a malicious code behavior pattern into a traffic template generated in FIG. 12 . On the other hand, if the traffic template is generated to be similar to the traffic data of the AI speaker infected with the malicious code, the process of generating the malicious traffic template related to the AI speaker may optionally include the malicious code behavior pattern insertion process of FIG. 12 .
- traffic data related to the use of the AI speaker 600 may be generated for each user as time elapses.
- a traffic template 550 related to the AI speaker 600 may include at least one of a traffic template 551 related to user A 611 and a traffic template 552 related to user B 612 .
- Each of the traffic template 551 related to user A 611 and the traffic template 552 related to user B 612 may be generated differently according to the usage pattern of the user as described above.
- a method of generating a malicious traffic template for each user of an AI speaker will now be described in detail with reference to FIG. 12 .
- a malicious traffic template for each user of an AI speaker may be generated using a malicious behavior pattern 400 of malicious code and a traffic template 550 generated for each user of the AI speaker.
- the malicious behavior pattern 400 of the malicious code may include information about patterns 410 and 420 in which the AI speaker is used by a specific user in order to generate malicious traffic related to the AI speaker for each malicious code.
- the traffic template 550 for each user of the AI speaker may include traffic data 553 related to any one or more of user A and user B using the AI speaker.
- a virtual malicious traffic template 560 of the AI speaker may be generated such that the traffic data related to the user's use of the AI speaker include the malicious code behavior patterns 410 and 420 .
- the malicious traffic template 560 may be generated by replacing the traffic template 550 related to the user's use of the AI speaker with the malicious code behavior pattern 410 or may be generated by adding the malicious code behavior pattern 420 to the traffic template 550 related to the user's use of the AI speaker.
- embodiments are not limited to this case, and it should be noted that the malicious traffic template 560 can include the malicious code behavior patterns 410 and 420 in various ways.
- a method of generating a virtual terminal group will be described in detail with reference to FIG. 13 .
- devices included in the terminal group and users of the terminal group may be designated.
- terminal group 1 may include one ‘A-type user’ and at least one of an AI speaker, a smart TV, a smart refrigerator, a smart air conditioner, and a smart camera.
- each of terminal groups 2 through 5 may also include various users and devices.
- a method of generating a network packet transmitted to a terminal group in order to generate a malicious traffic template of the terminal group will now be described with reference to FIGS. 14 through 21 .
- a network packet is transmitted or received for inducing the generation of traffic data of the terminal group to or from the terminal group.
- a network packet 740 transmitted to or received from a terminal group in order to generate malicious traffic data of the terminal group may be generated to include at least one of information 710 about each function of each device included in the terminal group, user information 720 of the terminal group, and information 730 about the terminal group.
- a database used to generate the network packet 740 that is transmitted to the terminal group in order to generate the malicious traffic data will now be described in detail with reference to FIGS. 15 through 20 .
- a database of terminal groups may include a terminal group identifier as a key value and may further include at least one of Internet line bandwidth and a media access control (MAC) address of a terminal group AP according to embodiments.
- MAC media access control
- a database of users of each terminal group may include the terminal group identifier which is the key value of the database of the terminal groups of FIG. 15 and a device user type identifier as key values and may further include a user identifier according to embodiments.
- a database of device usage patterns of each user type may be generated using data about terminal groups and the database of the terminal group users.
- the database of the device usage patterns of each user type in FIG. 17 may include a device user type identifier and a device type code which is a key value of a database of device users as key values and may further include additional information defining the device usage patterns of each user type.
- a malicious traffic template of a device can be generated variously and precisely based on various patterns in which the device is used by each user type. For example, if there is a user having a usage pattern similar to a behavior pattern of specific malicious code, since usage patterns of the user are managed in the database, it is possible to generate a malicious traffic template different from a normal usage pattern of the user by a slight degree that was not distinguishable before. Therefore, a machine learning algorithm trained using the malicious traffic template can distinguish various and fine differences between the behavior pattern of the malicious code and the usage pattern of the user.
- a database of types of devices included in a terminal group may include a device type code as a key value and may further include at least one of a device type name and a device type description according to embodiments.
- the device type code may be a specific identifier assigned to each device type. For example, a wire telephone, a wireless telephone, and a mobile phone which are of a communication device type may have the same device type code.
- a database of device functions may include a device function type code as a key value and may further include at least one of a device function type name and a device function type description according to embodiments.
- the device function type code may be a specific identifier assigned to each device function. For example, when each of a smart TV and a smart air conditioner has a function of requesting connection to an AP of a terminal group, the functions of requesting connection to the AP may have the same function type code.
- a database of traffic pattern information for each device function may be generated using the database of device types and the database of device functions according to embodiments.
- the database of the traffic pattern information for each device function may include the device type code which is the key value of the database of device types of FIG. 18 and the device function type code which is the key value of the database of device functions of FIG. 19 and may further include information defining a traffic pattern for each device/each device function.
- a malicious traffic template of a device can be generated variously and precisely based on various patterns in which the device is used for each device function of a terminal group. For example, if a pattern in which a specific function of a device is used is similar to a behavior pattern of specific malicious code, since the traffic pattern information for each device function is managed in the database, it is possible to generate a malicious traffic template different from a normal usage pattern of the function of the device by a slight degree that was not distinguishable before. Therefore, a machine learning algorithm trained using the malicious traffic template can distinguish various and fine differences between the behavior pattern of the malicious code and the normal usage pattern of the device.
- Network packets transmitted/received according to a terminal group's malicious traffic template generated using the databases generated according to FIGS. 14 through 20 according to embodiments will now be described with reference to FIG. 21 .
- a malicious traffic template may be generated such that, at an interval of 1 second from 06:00 on Jan. 1, 2018, the AI speaker transmits a packet having a size of 45 to the AP, the AP transmits a packet having a size of 46 to the AP speaker, and then the AI speaker transmits a packet having a size of 251 to the AP as illustrated in FIG. 21 .
- a computing apparatus 100 for performing a method of generating a malicious traffic template of a terminal group may include a processor 110 and a memory 120 and may further include at least one of a storage 140 , a network interface 130 , and a system bus in some embodiments.
- One or more instructions 121 through 123 loaded and stored in the memory 120 may be executed by the processor 110 and may generate a malicious traffic template 124 to be stored in the memory 120 . It should be noted that, although not specifically described, the computing apparatus 100 for performing a device operating system identification method according to the current embodiment can perform the method of generating a malicious traffic template of a terminal group described above with reference to FIG. 1 .
- the network interface 130 may transmit a packet to a device included in a terminal group or receive a packet from the device. Information about the received packet may be stored in the storage 140 .
- the storage 140 may store malicious code behavior analysis information 141 including malicious code behavior patterns and traffic data 142 for each device which is received from each terminal group.
- the instructions 121 through 123 may include an instruction 121 for extracting traffic data for each device included in a terminal group, an instruction 122 for extracting malicious code behavior patterns from the malicious code behavior analysis information 141 stored in the storage 140 , and an instruction 123 for generating a virtual malicious traffic template of the terminal group for each malicious code.
- the instruction 121 for extracting the traffic data for each device may extract normal traffic from the devices included in the terminal group in order to insert malicious code into traffic data or may extract traffic data of a device infected with malicious code.
- the instruction 122 for extracting the malicious code behavior patterns may extract behavior patterns of malicious code in traffic data from the known malicious code behavior analysis information 141 in order to generate a malicious traffic template for each malicious code.
- the instruction 123 for generating the virtual malicious traffic template of the terminal group for each malicious code may generate a malicious traffic template for device use by user type using the extracted traffic data and malicious code behavior patterns or may generate a malicious traffic template for each device function and a malicious traffic template for the terminal group.
Abstract
Description
- This application claims the benefit of Korean Patent Application No. 10-2018-0149569, filed on Nov. 28, 2018, in the Korean Intellectual Property Office, the disclosure of which is incorporated herein by reference in its entirety.
- The present disclosure relates to a method of generating a virtual malicious traffic template for a terminal group, and more particularly, to a method of generating virtual malicious traffic that may occur in a terminal group including a device actually infected with malicious code by using traffic data generated by the device.
- In an Internet of things (IoT) environment, various devices are connected by a network to form one terminal group. Since smart devices included in the terminal group are connected by a wired/wireless network, if one device is infected with malicious code, the malicious code can be rapidly transmitted to the entire terminal group. Therefore, there is a need for a rapid and accurate technology that can detect malicious code infection within the terminal group. Accordingly, various machine learning algorithms are being developed to detect malicious code infection using traffic data generated in a network.
- In particular, a system for monitoring an IoT terminal group by utilizing machine learning technology using an anomaly detection model that performs unsupervised learning or an intrusion detection model that performs supervised learning is being actively developed. However, machine learning using an unrefined data model is very economically inefficient due to an unnecessary waste of resources, and an algorithm trained using the undefined data model has low accuracy. Therefore, it is required to provide a technology that generates an optimal learning model for a terminal group infected with malicious code.
- Aspects of the present disclosure provide a method and apparatus for generating a virtual malicious traffic template for a terminal group in a normal state and including a device infected with malicious code by using previously generated traffic information of the device.
- Aspects of the present disclosure also provide a method and apparatus for generating a virtual malicious traffic template for a terminal group including a device not infected with malicious code by using traffic information generated by the device in a normal state.
- Aspects of the present disclosure also provide a method and apparatus for generating an optimal learning model, which can be used for machine learning used in a malicious code monitoring system of a terminal group, by using a malicious traffic template for the terminal group.
- However, aspects of the present disclosure are not restricted to the one set forth herein. The above and other aspects of the present disclosure will become more apparent to one of ordinary skill in the art to which the present disclosure pertains by referencing the detailed description of the present disclosure given below.
- According to another aspect of the present disclosure, there is provided a method of generating malicious traffic, the method being performed by a computing apparatus and comprising obtaining traffic data transmitted from a first device infected with first malicious code or received by the first device, generating a traffic template of the first device by analyzing the traffic data, and generating a malicious traffic template of a terminal group, wherein the malicious traffic template of the terminal group comprises the traffic template of the first device.
- According to an aspect of the present disclosure, there is provided a method of generating malicious traffic, the method being performed by a computing apparatus and comprising obtaining normal traffic data related to a terminal group which comprises a first device not infected with malicious code, generating a virtual malicious traffic template of the first device infected with malicious code by using the normal traffic data of the first device and behavior analysis information of first malicious code and generating a malicious traffic template of the terminal group, wherein the malicious traffic template of the terminal group comprises the malicious traffic template related to the first device infected with the malicious code.
- According to an aspect of the present disclosure, there is provided a computing apparatus comprising a memory into which a malicious traffic generation program is loaded and a processor which executes the malicious traffic generation program loaded into the memory, wherein the malicious traffic generation program comprises an instruction for obtaining traffic data transmitted from a first device infected with first malicious code or received by the first device; an instruction for generating a traffic template of the first device by analyzing the traffic data and an instruction for generating a malicious traffic template of a terminal group, wherein the malicious traffic template of the terminal group comprises the traffic template of the first device.
- Other features and exemplary embodiments may be apparent from the following detailed description, the drawings, and the claims.
- These and/or other aspects will become apparent and more readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings in which:
-
FIG. 1 is a diagram for explaining the configuration and operation of a system for generating a malicious traffic template according to an embodiment; -
FIG. 2 is a flowchart illustrating a method of generating a malicious traffic template according to an embodiment; -
FIG. 3 illustrates examples of normal traffic data of a terminal group not infected with malicious code according to an embodiment; -
FIG. 4 is a diagram for explaining a method of generating a malicious traffic template by inserting a behavior pattern of malicious code into normal traffic data of a terminal group according to an embodiment; -
FIG. 5 is a diagram for explaining a method of generating a virtual malicious traffic template using traffic data of a terminal group infected with malicious code according to an embodiment; -
FIG. 6 is a diagram for explaining a method of generating a virtual malicious traffic template using normal traffic data of a terminal group, a malicious code behavior pattern, and traffic data of a terminal group infected with malicious code according to an embodiment; -
FIG. 7 illustrates examples of a device whose malicious traffic template is to be generated for each function of the device according to an embodiment; -
FIG. 8 illustrates an example traffic template for each function of an AI speaker in order to explain a malicious traffic template for each function of a device according to an embodiment; -
FIG. 9 is a diagram for explaining a method of inserting a behavior pattern of malicious code into a traffic template for each function of a device according to an embodiment; -
FIG. 10 illustrates a terminal group and device usage information of a user which are used to generate a malicious traffic template for each user of the terminal group according to an embodiment; -
FIG. 11 illustrates an example traffic template for each user of an AP speaker in order to explain a malicious traffic template for each user of a device according to an embodiment; -
FIG. 12 is a diagram for explaining a method of inserting a behavior pattern of malicious code into a traffic template for each user of a device according to an embodiment; -
FIG. 13 illustrates examples of a terminal group whose malicious traffic template is to be generated according to an embodiment; -
FIG. 14 is a diagram for explaining a method of generating a network packet to generate malicious traffic according to an embodiment; -
FIG. 15 illustrates an example database of terminal group information according to an embodiment; -
FIG. 16 illustrates an example database of user information of each terminal group according to an embodiment; -
FIG. 17 illustrates an example database of device usage patterns of each user type according to an embodiment; -
FIG. 18 illustrates an example database of device type information according to an embodiment; -
FIG. 19 illustrates an example database of device function information according to an embodiment; -
FIG. 20 illustrates an example database of traffic pattern information for each device function of a terminal group according to an embodiment; -
FIG. 21 illustrates network packets used to generate malicious traffic data of a terminal group according to an embodiment; and -
FIG. 22 illustrates the hardware configuration of an apparatus for generating a malicious traffic template of a terminal group according to an embodiment. - Hereinafter, embodiments of the present disclosure will be described with reference to the attached drawings. Advantages and features of the present disclosure and methods of accomplishing the same may be understood more readily by reference to the following detailed description of embodiments and the accompanying drawings. The present disclosure may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete and will fully convey the concept of the disclosure to those skilled in the art, and the present disclosure will only be defined by the appended claims. Like numbers refer to like elements throughout.
- Unless otherwise defined, all terms including technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. Further, it will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and the present disclosure, and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein. The terms used herein are for the purpose of describing particular embodiments only and is not intended to be limiting. As used herein, the singular forms are intended to include the plural forms as well, unless the context clearly indicates otherwise.
- It will be understood that the terms “comprise” and/or “comprising” when used herein, specify some stated components, steps, operations and/or elements, but do not preclude the presence or addition of one or more other components, steps, operations and/or elements.
- Hereinafter, embodiments of the present disclosure will be described with reference to the drawings.
- The configuration and operation of a system for generating a malicious traffic template of a terminal group according to an embodiment will now be described with reference to
FIG. 1 . As used herein, a terminal group may denote a set of devices connected directly/indirectly to one network. For example, the terminal group may be a set of devices whose Internet protocol (IP) addresses use the same network address but have different host addresses or may be a group of devices connected to one access point (AP) in an Internet of things (IoT) environment. - Referring to
FIG. 1 , a malicioustraffic generation apparatus 100 may generate malicious traffic templates for a plurality ofterminal groups terminal groups terminal group 10 may include a plurality ofdevices users devices first terminal group 10. In addition, a secondterminal group 20 may include a plurality ofdevices users devices second terminal group 20. - The malicious
traffic generation apparatus 100 may collect traffic data received by thedevices terminal groups devices traffic generation apparatus 100 may generate templates for virtual malicious traffic that can occur in theterminal groups - In addition, a malicious traffic template may be generated for each malicious code. For example, when a
first device 11 of the firstterminal group 10 is infected with first malicious code, a malicious traffic template may be generated for each type ofuser first device 11 infected with the first malicious code, a malicious traffic template may be generated for each function of thefirst device 11 infected with the first malicious code, and a malicious traffic template may be generated for the entire firstterminal group 10 including thefirst device 11 infected with the first malicious code. - The malicious
traffic generation apparatus 100 may also collect normal traffic data of thedevices FIGS. 3 and 4 . - A method of generating malicious traffic of a terminal group according to an embodiment will now be described with reference to
FIG. 2 . - In operation S100, a terminal group whose malicious traffic template is to be generated may be selected. The selected terminal group is a group of devices connected through a network as described above. Terminal groups may be connected through a network, in which case IP addresses of a plurality of devices within a terminal group may be structured to have, for example, one or more identical network addresses and different host addresses among a plurality of classes of IP addresses. However, it should be noted that this is merely an example of IP addresses used in a terminal group that generally uses one AP. Therefore, the terminal group selected in operation S100 may be, for example, one of a plurality of households existing in a specific area or one of a plurality of companies existing in one building.
- In operation S200, it may be identified whether the devices in the terminal group are infected with malicious code. A method of generating a malicious traffic template of the terminal group which will be described below may vary depending on whether the devices are infected with malicious code.
- In operation S300, if it is identified in operation S200 that the devices are not infected with malicious code, normal traffic data may be obtained from the devices in a normal state. The traffic data may be collected using, e.g., TCPDUMP.
- In operation S400, behavior information of malicious code may be inserted into the normal traffic data obtained in operation S300. The behavior information of the malicious code includes information about data generated when a device is infected with the malicious code. For example, the behavior information of the malicious code may include a pattern of malicious code behavior that occurs in a device infected with the malicious code. This will be described in detail with reference to
FIG. 4 . - If there is a device infected with malicious code, a malicious traffic template may be generated for each malicious code in operation S500 by collecting traffic data generated by the device. The traffic template may be generated for each function of the device, for each user of the device, and for each terminal group including the device. This will be described in detail later with reference to
FIGS. 7 through 13 . - In addition, when a malicious traffic template is generated for a device infected with malicious code that performs an inbound attack, traffic data received by the device infected with the malicious code may be collected. For example, the malicious code may perform an attack of blocking all access to the device. Since a problem occurring due to the malicious code that performs the inbound attack is caused by network data coming from the outside to the device, the computation of a computing apparatus can be minimized by collecting the traffic data received by the device.
- Likewise, when a malicious traffic template is generated for a device infected with malicious code that performs an outbound attack, traffic data transmitted from the device infected with the malicious code may be collected. For example, the malicious code may perform an attack of allowing all access attempted by the device. Since a problem occurring due to the malicious code that performs the outbound attack is caused by network data going out from the device to the outside, the computation of the computing apparatus can be minimized by collecting the traffic data transmitted from the device.
- In operation S600, a virtual malicious traffic template may be generated for the terminal group by using the malicious traffic templates generated in operations S400 and S500. A malicious traffic template may be generated using the normal traffic data and the malicious code behavior patterns generated in operation S400, a malicious traffic template may be generated using the malicious traffic template generated in operation S500 and noise traffic, and one malicious traffic template may also be generated using the malicious traffic templates generated in operations S400 and S500.
- By generating malicious traffic templates using various combinations as described above, it is possible to generate various and efficient machine learning models using the generated malicious traffic templates. In particular, a malicious traffic template generated based on a device infected with malicious code can be used in a machine learning algorithm that performs supervised learning.
- A method of generating a malicious traffic template of a device not infected with malicious code by using normal traffic data obtained from the device will now be described with reference to
FIGS. 3 and 4 . - Examples of normal traffic data that can be generated by a terminal group will now be described with reference to
FIG. 3 . For example, when there is adevice group 200 including one or more of asmart TV 201, asmart camera 202, and anAI speaker 203, various patterns of traffic data can be generated according to the type of user of each terminal group even iftraffic data traffic data 310 generated by a first terminal group may be composed oftraffic 313 received by theAI speaker 203 or transmitted from theAI speaker 203,traffic 312 received by thesmart camera 202 or transmitted from thesmart camera 202, andtraffic 311 received by thesmart TV 201 or transmitted from thesmart TV 201. Likewise, thetraffic data 320 generated by a second terminal group may be composed oftraffic 323 obtained from theAI speaker 203,traffic 322 obtained from thesmart camera 202, andtraffic 321 obtained from thesmart TV 201. However, thetraffic traffic traffic data 310 generated by the first terminal group in terms of information such as traffic generation time, frequency, etc. - A method of generating a malicious traffic template by inserting a malicious code behavior pattern into normal traffic obtained from a device will be described with reference to
FIG. 4 . Traffic ofnormal traffic data 330 of a device may be replaced with maliciouscode behavior patterns code behavior patterns normal traffic data 330. However, embodiments are not limited to this case, and it should be noted that various patterns of traffic can be generated by adding noise traffic between the maliciouscode behavior patterns code behavior patterns - In addition, the malicious
code behavior patterns code behavior pattern 400 of each known malicious code according to an embodiment. The maliciouscode behavior patterns - A
malicious traffic template 500 generated for a terminal group may include one or more of maliciouscode behavior patterns noise traffic 509. - The
random noise traffic 509 is traffic irrelevant to the maliciouscode behavior patterns malicious traffic template 500 in various forms to generate various forms ofmalicious traffic templates 500. Since various forms ofmalicious traffic templates 500 are generated, the number of data models to be used in the learning of a machine learning algorithm used by a monitoring system for determining whether a terminal group is infected with malicious code may be increased, thereby increasing the accuracy of the machine learning algorithm. - A method of generating a terminal group's
malicious traffic template 510 includingmalicious traffic templates FIG. 5 . A method of generating themalicious traffic templates FIGS. 7 through 13 . - Traffic of a terminal group's
malicious traffic template 510 including malicious traffic templates related to the above specific device may include an IP address of a control & command (C&C) server of malicious code. Since the C&C server is a server that transmits a control command for controlling malicious code to perform a desired attack, a malicious traffic template of a terminal group infected with malicious code can be generated by inserting the IP address of the C&C server into traffic of the malicious traffic template. For example, if traffic is in the form of ‘TIME, SRC_IP, SRC_PORT, DST_IP, DST_PORT, PROTOCOL, BYTES+ . . . ’, the IP address of the C&C server may be inserted into the ‘SRC_IP’ field indicating an IP address from which the traffic was transmitted. Referring toFIG. 5 , any one of ‘101.101.101.101’ and ‘201.201.201.201’ which areIP addresses traffic 511 of themalicious traffic template 510. A machine learning algorithm that learns this malicious traffic template as a model may detect traffic, which includes a packet containing the IP address of the C&C server, as malicious traffic. - Referring to
FIG. 6 , amalicious traffic template 520 of a terminal group may be generated using amalicious traffic template 500 generated by insertingmalicious code patterns traffic templates - For example, a terminal group's
malicious traffic template 520 generated using the above method may include at least one ofmalicious code patterns malicious traffic template 523 of a device, andrandom noise traffic 524 irrelevant to malicious code. One or more of themalicious code patterns malicious traffic template 523 of the device, and therandom noise traffic 524 can be replaced with traffic included in a normal traffic template of the terminal group or may be added to the traffic. - A method of generating malicious traffic templates of a device will now be described with reference to
FIGS. 7 through 13 . -
FIG. 7 illustrates information about functions of each device. Since a malicious traffic template of a device according to an embodiment can be generated for each function of the device, example functions of each device will be described with reference to the table ofFIG. 7 . - An AI speaker of
FIG. 7 may include any one or more of a weather check function, a news check function, a traffic information check function, and a music playback function as its individual functions. A smart TV may include a video application execution function as its individual function. A smart refrigerator may include an Internet search function as its individual function. A smart air conditioner may include at least one of an air information provision function and a function of operating the air conditioner from the outside as its individual function. In addition, a home camera may include a function of providing a video of an object moving in a space as its individual function, and a smart scale may include a weight display function as its individual function. - Any one or more of the AP speaker, the smart TV, the smart refrigerator, the smart air conditioner, the home camera, and the smart scale may include at least one of an Internet connection check function and a firmware software update check function as a common function.
- A malicious traffic template of a device may be generated for each individual function of the device and for each common function. Since a different function is used in the device for each malicious code, if malicious traffic templates are generated according to various functions of the device, it is possible to generate virtual malicious traffic that is similar to traffic generated by a device actually infected with malicious code.
- An example method of generating a traffic template for each function of an
AI speaker 600 in order to generate a malicious traffic template of theAI speaker 600 will be described with reference toFIG. 8 . TheAI speaker 600 may include at least one of, for example, a weather forecast function, a music search/playback function, and a voice search function. Atraffic template 530 of theAI speaker 600 may include traffic data related to functions used by theAI speaker 600 as time elapses. - In the current embodiment, a traffic template for each function of the
AI speaker 600 may be generated to be similar to traffic data of an AI speaker in the normal state or traffic data of an AI speaker infected with malicious code. If the traffic template is generated to be similar to the traffic data of the AI speaker in the normal state, a process of generating a malicious traffic template related to theAI speaker 600 includes a process of inserting a malicious code behavior pattern into a traffic template generated inFIG. 9 . On the other hand, if the traffic template is generated to be similar to the traffic data of the AI speaker infected with the malicious code, the process of generating the malicious traffic template related to theAI speaker 600 may optionally include the malicious code behavior pattern insertion process ofFIG. 9 . - The
malicious traffic template 530 of theAI speaker 600 ofFIG. 8 may include at least one oftraffic data 531 generated by the use of the weather forecast function of theAI speaker 600 from 00:00 to 24:00,traffic data 532 generated by the use of the music search/playback function, andtraffic data 533 generated by the use of the voice search function. Since the traffic template of theAI speaker 600 is generated for each function, it is possible to precisely generate virtual malicious traffic data that is similar to the traffic data of the AI speaker infected with the malicious code as described above. - A method of generating a malicious traffic template for each function of an AI speaker will be described in detail with reference to
FIG. 9 . To make the AI speaker'smalicious traffic template 530 generated inFIG. 8 have a more similar pattern to the traffic data of the AI speaker infected with the malicious code, amalicious traffic template 540 for each function of theAI speaker 600 may be generated by further using amalicious behavior pattern 400 of malicious code. - The
malicious behavior pattern 400 of the malicious code may include information about a function used in theAI speaker 600 for each malicious code andpatterns traffic template 530 for each function of theAI speaker 600 may be generated to include at least one of, for example,traffic data 531 related to the weather forecast function,traffic data 532 related to the music search/playback function, andtraffic data 533 related to the voice search function. - For example, if certain malicious code shows malicious code behavior patterns in the
traffic data 541 related to the weather forecast function and thetraffic data 542 related to the music search/playback function, the virtualmalicious traffic template 540 of theAI speaker 600 may be generated such that thetraffic data 541 related to the weather forecast function includes the maliciouscode behavior pattern 410, and thetraffic data 542 related to the music search/playback function includes the maliciouscode behavior pattern 420. - A method of generating a malicious traffic template for each user of a device will be described with reference to
FIGS. 10 through 12 . A malicious traffic template of a device according to an embodiment may be generated for each user of the device. In addition, a malicious traffic template of a terminal group including the device may be generated for each user of the terminal group. Since a pattern of using a specific device in the terminal group is different for each malicious code, virtual malicious traffic similar to traffic generated by a device actually infected with malicious code may be generated according to the current embodiment. - Example traffic data related to usage patterns of user A and user B of a specific terminal group will be described with reference to
FIG. 10 . User A and user B of a terminal group including an AI speaker, a home camera, a smart air conditioner, a smart refrigerator and a smart TV may be users of one terminal group or may be users of different terminal groups composed of the same devices. - In addition, traffic data of the terminal group may be generated differently according to weekday usage patterns and weekend usage patterns of the above users. For example, traffic data of user A using the terminal group on weekdays may include traffic data generated by the terminal group for each of the time of waking up and getting ready for work, the working time, the time of returning home, and the sleeping time. In addition, traffic data of user A using the terminal group on weekends may include traffic data generated during the time of going out, the time of returning home, the sleeping time, and other times. Traffic data of the terminal group related to user B may also be generated for the weekdays and weekends. However, the device usage pattern of user B may be different from that of user A.
- For example, since user A uses the home camera and the smart air conditioner of the terminal group during weekday working time, traffic data is generated. However, no traffic data is generated during the weekday working time of user B. Therefore, if traffic data of the terminal group is generated during the weekday working time of user B, it can be suspected as malicious traffic data. Since traffic data of the terminal group is generated differently for each user in the current embodiment, a precise virtual malicious traffic template can be generated.
- Example traffic data generated differently for each user of an AI speaker will be described with reference to
FIG. 11 . Different traffic data may be generated for each of users using even the same device, e.g., an AI speaker. This is because each user uses a device in a different pattern as described above. - In the current embodiment, a traffic template for each user of the AI speaker may be generated to be similar to traffic data of an AI speaker in the normal state or traffic data of an AI speaker infected with malicious code. If the traffic template is generated to be similar to the traffic data of the AI speaker in the normal state, a process of generating a malicious traffic template related to the AI speaker includes a process of inserting a malicious code behavior pattern into a traffic template generated in
FIG. 12 . On the other hand, if the traffic template is generated to be similar to the traffic data of the AI speaker infected with the malicious code, the process of generating the malicious traffic template related to the AI speaker may optionally include the malicious code behavior pattern insertion process ofFIG. 12 . - For example, if
user A 611 anduser B 612 use anAI speaker 600, traffic data related to the use of theAI speaker 600 may be generated for each user as time elapses. - In this case, a
traffic template 550 related to theAI speaker 600 may include at least one of atraffic template 551 related touser A 611 and atraffic template 552 related touser B 612. Each of thetraffic template 551 related touser A 611 and thetraffic template 552 related touser B 612 may be generated differently according to the usage pattern of the user as described above. - A method of generating a malicious traffic template for each user of an AI speaker will now be described in detail with reference to
FIG. 12 . A malicious traffic template for each user of an AI speaker may be generated using amalicious behavior pattern 400 of malicious code and atraffic template 550 generated for each user of the AI speaker. - The
malicious behavior pattern 400 of the malicious code may include information aboutpatterns traffic template 550 for each user of the AI speaker may includetraffic data 553 related to any one or more of user A and user B using the AI speaker. - For example, if certain malicious code shows malicious code behavior patterns in
traffic data malicious traffic template 560 of the AI speaker may be generated such that the traffic data related to the user's use of the AI speaker include the maliciouscode behavior patterns - Specifically, the
malicious traffic template 560 may be generated by replacing thetraffic template 550 related to the user's use of the AI speaker with the maliciouscode behavior pattern 410 or may be generated by adding the maliciouscode behavior pattern 420 to thetraffic template 550 related to the user's use of the AI speaker. However, embodiments are not limited to this case, and it should be noted that themalicious traffic template 560 can include the maliciouscode behavior patterns - A method of generating a virtual terminal group will be described in detail with reference to
FIG. 13 . To generate a virtual malicious traffic template of a terminal group, devices included in the terminal group and users of the terminal group may be designated. - Since a different malicious traffic template is generated according to the type of device included in a terminal group and according to a user, various learning models can be generated for the leaning of a machine learning algorithm.
- For example, ‘terminal group 1’ may include one ‘A-type user’ and at least one of an AI speaker, a smart TV, a smart refrigerator, a smart air conditioner, and a smart camera. Likewise, each of
terminal groups 2 through 5 may also include various users and devices. - A method of generating a network packet transmitted to a terminal group in order to generate a malicious traffic template of the terminal group will now be described with reference to
FIGS. 14 through 21 . To generate a virtual malicious traffic template of a terminal group, a network packet is transmitted or received for inducing the generation of traffic data of the terminal group to or from the terminal group. - Referring to
FIG. 14 , anetwork packet 740 transmitted to or received from a terminal group in order to generate malicious traffic data of the terminal group may be generated to include at least one ofinformation 710 about each function of each device included in the terminal group,user information 720 of the terminal group, andinformation 730 about the terminal group. A database used to generate thenetwork packet 740 that is transmitted to the terminal group in order to generate the malicious traffic data will now be described in detail with reference toFIGS. 15 through 20 . - Referring to
FIG. 15 , a database of terminal groups may include a terminal group identifier as a key value and may further include at least one of Internet line bandwidth and a media access control (MAC) address of a terminal group AP according to embodiments. - Referring to
FIG. 16 , a database of users of each terminal group may include the terminal group identifier which is the key value of the database of the terminal groups ofFIG. 15 and a device user type identifier as key values and may further include a user identifier according to embodiments. - Referring to
FIG. 17 , a database of device usage patterns of each user type may be generated using data about terminal groups and the database of the terminal group users. The database of the device usage patterns of each user type inFIG. 17 may include a device user type identifier and a device type code which is a key value of a database of device users as key values and may further include additional information defining the device usage patterns of each user type. - Since the database of the device usage patterns of each user type is generated, a malicious traffic template of a device can be generated variously and precisely based on various patterns in which the device is used by each user type. For example, if there is a user having a usage pattern similar to a behavior pattern of specific malicious code, since usage patterns of the user are managed in the database, it is possible to generate a malicious traffic template different from a normal usage pattern of the user by a slight degree that was not distinguishable before. Therefore, a machine learning algorithm trained using the malicious traffic template can distinguish various and fine differences between the behavior pattern of the malicious code and the usage pattern of the user.
- Referring to
FIG. 18 , a database of types of devices included in a terminal group may include a device type code as a key value and may further include at least one of a device type name and a device type description according to embodiments. The device type code may be a specific identifier assigned to each device type. For example, a wire telephone, a wireless telephone, and a mobile phone which are of a communication device type may have the same device type code. - Referring to
FIG. 19 , a database of device functions may include a device function type code as a key value and may further include at least one of a device function type name and a device function type description according to embodiments. The device function type code may be a specific identifier assigned to each device function. For example, when each of a smart TV and a smart air conditioner has a function of requesting connection to an AP of a terminal group, the functions of requesting connection to the AP may have the same function type code. - Referring to FIG.
FIG. 20 , a database of traffic pattern information for each device function may be generated using the database of device types and the database of device functions according to embodiments. The database of the traffic pattern information for each device function may include the device type code which is the key value of the database of device types ofFIG. 18 and the device function type code which is the key value of the database of device functions ofFIG. 19 and may further include information defining a traffic pattern for each device/each device function. - Since the database of the traffic pattern information for each device function is generated, a malicious traffic template of a device can be generated variously and precisely based on various patterns in which the device is used for each device function of a terminal group. For example, if a pattern in which a specific function of a device is used is similar to a behavior pattern of specific malicious code, since the traffic pattern information for each device function is managed in the database, it is possible to generate a malicious traffic template different from a normal usage pattern of the function of the device by a slight degree that was not distinguishable before. Therefore, a machine learning algorithm trained using the malicious traffic template can distinguish various and fine differences between the behavior pattern of the malicious code and the normal usage pattern of the device.
- Network packets transmitted/received according to a terminal group's malicious traffic template generated using the databases generated according to
FIGS. 14 through 20 according to embodiments will now be described with reference toFIG. 21 . - For example, when the IP address of an AI speaker in a terminal group is ‘192.213.213.22’ and the IP address of an AP of the terminal group is ‘123.234.23.126’, if a behavior pattern of malicious code concerns exchanging a signal between the AP and the AI speaker every second, a malicious traffic template may be generated such that, at an interval of 1 second from 06:00 on Jan. 1, 2018, the AI speaker transmits a packet having a size of 45 to the AP, the AP transmits a packet having a size of 46 to the AP speaker, and then the AI speaker transmits a packet having a size of 251 to the AP as illustrated in
FIG. 21 . - Referring to
FIG. 22 , acomputing apparatus 100 for performing a method of generating a malicious traffic template of a terminal group according to a current embodiment may include aprocessor 110 and amemory 120 and may further include at least one of astorage 140, anetwork interface 130, and a system bus in some embodiments. - One or
more instructions 121 through 123 loaded and stored in thememory 120 may be executed by theprocessor 110 and may generate amalicious traffic template 124 to be stored in thememory 120. It should be noted that, although not specifically described, thecomputing apparatus 100 for performing a device operating system identification method according to the current embodiment can perform the method of generating a malicious traffic template of a terminal group described above with reference toFIG. 1 . - The
network interface 130 may transmit a packet to a device included in a terminal group or receive a packet from the device. Information about the received packet may be stored in thestorage 140. - The
storage 140 may store malicious codebehavior analysis information 141 including malicious code behavior patterns andtraffic data 142 for each device which is received from each terminal group. - The
instructions 121 through 123 may include aninstruction 121 for extracting traffic data for each device included in a terminal group, aninstruction 122 for extracting malicious code behavior patterns from the malicious codebehavior analysis information 141 stored in thestorage 140, and aninstruction 123 for generating a virtual malicious traffic template of the terminal group for each malicious code. - In an embodiment, the
instruction 121 for extracting the traffic data for each device may extract normal traffic from the devices included in the terminal group in order to insert malicious code into traffic data or may extract traffic data of a device infected with malicious code. - In an embodiment, the
instruction 122 for extracting the malicious code behavior patterns may extract behavior patterns of malicious code in traffic data from the known malicious codebehavior analysis information 141 in order to generate a malicious traffic template for each malicious code. - In an embodiment, the
instruction 123 for generating the virtual malicious traffic template of the terminal group for each malicious code may generate a malicious traffic template for device use by user type using the extracted traffic data and malicious code behavior patterns or may generate a malicious traffic template for each device function and a malicious traffic template for the terminal group. - While the present disclosure has been particularly illustrated and described with reference to exemplary embodiments thereof, it will be understood by those of ordinary skill in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the present disclosure as defined by the following claims. The exemplary embodiments should be considered in a descriptive sense only and not for purposes of limitation.
Claims (15)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2018-0149569 | 2018-11-28 | ||
KR1020180149569A KR101990022B1 (en) | 2018-11-28 | 2018-11-28 | Method for generating malicious traffic template about device group including malicious device apparatus thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
US20200169577A1 true US20200169577A1 (en) | 2020-05-28 |
US11245712B2 US11245712B2 (en) | 2022-02-08 |
Family
ID=67064783
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/517,500 Active 2040-03-15 US11245712B2 (en) | 2018-11-28 | 2019-07-19 | Method and apparatus for generating virtual malicious traffic template for terminal group including device infected with malicious code |
Country Status (2)
Country | Link |
---|---|
US (1) | US11245712B2 (en) |
KR (1) | KR101990022B1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11601451B1 (en) * | 2022-05-15 | 2023-03-07 | Uab 360 It | Optimized analysis for detecting harmful content |
US20230224318A1 (en) * | 2022-01-08 | 2023-07-13 | Traceable Inc. | Application security testing based on live traffic |
US11811822B2 (en) * | 2020-06-17 | 2023-11-07 | Paypal, Inc. | Systems and methods for detecting and automatically blocking malicious traffic |
Family Cites Families (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9047441B2 (en) | 2011-05-24 | 2015-06-02 | Palo Alto Networks, Inc. | Malware analysis system |
US9001688B2 (en) * | 2012-08-10 | 2015-04-07 | Ixia | Dynamic balancing of a traffic mix for data center device testing |
US10567398B2 (en) * | 2013-11-04 | 2020-02-18 | The Johns Hopkins University | Method and apparatus for remote malware monitoring |
US9973516B2 (en) * | 2015-02-13 | 2018-05-15 | International Business Machines Corporation | Traffic shape obfuscation when using an encrypted network connection |
KR101679578B1 (en) | 2015-05-27 | 2016-11-25 | 주식회사 윈스 | Apparatus and method for providing controlling service for iot security |
KR20170060280A (en) * | 2015-11-24 | 2017-06-01 | 한국전자통신연구원 | Apparatus and method for automatically generating rules for malware detection |
US10798167B2 (en) * | 2015-11-25 | 2020-10-06 | International Business Machines Corporation | Storage enhanced intelligent pre-seeding of information |
KR20170091989A (en) | 2016-02-02 | 2017-08-10 | 동신대학교산학협력단 | System and method for managing and evaluating security in industry control network |
JP6692178B2 (en) | 2016-02-23 | 2020-05-13 | 株式会社日立製作所 | Communications system |
US10567342B2 (en) * | 2016-02-24 | 2020-02-18 | Imperva, Inc. | Techniques for securely detecting compromises of enterprise end stations utilizing tunnel tokens |
RU2634211C1 (en) * | 2016-07-06 | 2017-10-24 | Общество с ограниченной ответственностью "Траст" | Method and system of protocols analysis of harmful programs interaction with control centers and detection of computer attacks |
KR20180024524A (en) * | 2016-08-30 | 2018-03-08 | 주식회사 윈스 | Apparatus and method for blocking using reputation analysys |
KR20180024455A (en) | 2016-08-30 | 2018-03-08 | 삼성에스디에스 주식회사 | Method for processing medical information, apparatus and system for executing the method |
EP3504597B1 (en) * | 2016-09-30 | 2023-12-20 | Siemens Aktiengesellschaft | Identification of deviant engineering modifications to programmable logic controllers |
KR20180083522A (en) * | 2017-01-13 | 2018-07-23 | (주)노르마 | IoT Wireless Security Service system and method |
JP6770454B2 (en) | 2017-02-16 | 2020-10-14 | 日本電信電話株式会社 | Anomaly detection system and anomaly detection method |
JP6708575B2 (en) * | 2017-03-01 | 2020-06-10 | 日本電信電話株式会社 | Classification device, classification method, and classification program |
US11030308B2 (en) * | 2017-08-09 | 2021-06-08 | Nec Corporation | Inter-application dependency analysis for improving computer system threat detection |
US10708297B2 (en) * | 2017-08-25 | 2020-07-07 | Ecrime Management Strategies, Inc. | Security system for detection and mitigation of malicious communications |
US10705821B2 (en) * | 2018-02-09 | 2020-07-07 | Forescout Technologies, Inc. | Enhanced device updating |
US11070453B2 (en) * | 2018-09-13 | 2021-07-20 | Microsoft Technology Licensing, Llc | Providing network traffic endpoint recommendation based on network traffic data analysis |
-
2018
- 2018-11-28 KR KR1020180149569A patent/KR101990022B1/en active IP Right Grant
-
2019
- 2019-07-19 US US16/517,500 patent/US11245712B2/en active Active
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11811822B2 (en) * | 2020-06-17 | 2023-11-07 | Paypal, Inc. | Systems and methods for detecting and automatically blocking malicious traffic |
US20230224318A1 (en) * | 2022-01-08 | 2023-07-13 | Traceable Inc. | Application security testing based on live traffic |
US11601451B1 (en) * | 2022-05-15 | 2023-03-07 | Uab 360 It | Optimized analysis for detecting harmful content |
US11818148B1 (en) | 2022-05-15 | 2023-11-14 | Uab 360 It | Optimized analysis for detecting harmful content |
US11843618B1 (en) | 2022-05-15 | 2023-12-12 | Uab 360 It | Optimized analysis for detecting harmful content |
Also Published As
Publication number | Publication date |
---|---|
KR101990022B1 (en) | 2019-06-17 |
US11245712B2 (en) | 2022-02-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11245712B2 (en) | Method and apparatus for generating virtual malicious traffic template for terminal group including device infected with malicious code | |
US9769190B2 (en) | Methods and apparatus to identify malicious activity in a network | |
CN108737333B (en) | Data detection method and device | |
CN107360184B (en) | Terminal equipment authentication method and device | |
US20220086064A1 (en) | Apparatus and process for detecting network security attacks on iot devices | |
JP5050781B2 (en) | Malware detection device, monitoring device, malware detection program, and malware detection method | |
US11696110B2 (en) | Distributed, crowdsourced internet of things (IoT) discovery and identification using Block Chain | |
CN108259425A (en) | The determining method, apparatus and server of query-attack | |
WO2015106548A1 (en) | Method and apparatus for monitoring network device | |
CN107682470B (en) | Method and device for detecting public network IP availability in NAT address pool | |
Sarica et al. | A novel sdn dataset for intrusion detection in iot networks | |
CN110798426A (en) | Method and system for detecting flood DoS attack behavior and related components | |
CN110958245B (en) | Attack detection method, device, equipment and storage medium | |
CN110493253B (en) | Botnet analysis method of home router based on raspberry group design | |
CN105323128B (en) | method, device and system for accessing front-end equipment to server | |
CN112583827B (en) | Data leakage detection method and device | |
US11689550B2 (en) | Methods and apparatus to analyze network traffic for malicious activity | |
CN112422486B (en) | SDK-based safety protection method and device | |
CN108650274B (en) | Network intrusion detection method and system | |
CN115514579B (en) | Method and system for realizing service identification based on IPv6 address mapping flow label | |
KR102089417B1 (en) | Method for generating malicious traffic template about device group including malicious device apparatus thereof | |
US7995595B1 (en) | Method for efficiently detecting node addresses | |
CN113839948A (en) | DNS tunnel traffic detection method and device, electronic equipment and storage medium | |
CN110995887B (en) | ID association method and device | |
CN114070633A (en) | Address scanning behavior detection method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
AS | Assignment |
Owner name: KOREA INTERNET & SECURITY AGENCY, KOREA, REPUBLIC OF Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:OH, SUNG TAEK;GO, WOONG;KIM, MI JOO;AND OTHERS;REEL/FRAME:049909/0527 Effective date: 20190701 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: SMAL); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |